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FOREWORD 


1.  This  tailoring  document  defines  the  Government’s  requirements  and  expectations  for 
contractor  performance  in  defense  system  acquisitions  and  technology  developments. 

2.  This  SMC  tailoring  was  developed  by  the  SMC/EN  Risk  Management  Advisor  and 
comprises  tailoring  to  the  risk  management  requirements  of  IEEE-5288.1,  Standard  for 
Application  of  Systems  Engineering  on  Defense  Programs.  The  major  changes  from  the  2014 
version  include  update  of  references/1  inks  and  clarification  of  risk  handling  plan  requirements 
(Section  3.2.3  a.  1 1). 

3.  Beneficial  comments  (recommendations,  changes,  additions,  deletions,  etc.)  and  any 
pertinent  data  that  may  be  of  use  in  improving  this  document  should  be  forwarded  to  the 
following  addressee  using  the  Standardization  Document  Improvement  Proposal  appearing  at  the 
end  of  this  document  or  by  letter: 


Division  Chief,  SMC/ENE 
SPACE  AND  MISSILE  SYSTEMS  CENTER 
Air  Force  Space  Command 
483  N.  Aviation  Blvd. 

El  Segundo,  CA  90245 

4.  This  tailoring  document  has  been  approved  for  use  on  all  Space  and  Missile  Systems 
Center/Air  Force  Program  Executive  Office  -  Space  development,  acquisition,  and  sustainment 
contracts. 
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Space  and  Missile  Systems  Center 
Risk  Management  Supplement  to  IEEE- 15288.1. 

1 .  Intent  of  this  Tailoring  Document 

This  tailoring  document  is  an  organizationally-unique  supplement  to  the  industry-consensus 
systems  engineering  standard,  adding  risk  management  requirements  that  have  been  deemed 
valuable  by  USAF  and  the  Space  and  Missile  Systems  Center  (SMC)  for  mission 
assurance/success  of  high-reliability  space  systems.  This  tailoring  document  supplements  IEEE 
15288.1-2015  Clause  6.3.4,  Risk  Management  Process. 

2.  Context 

2.1 .  ISO-IEC-IEEE-1 5288:  201 5, 

Systems  and  Software  Engineering  —  System  life  cycle  processes 

ISO-IEC-IEEE  15288  is  the  DOD-adopted  standard  for  systems  engineering.1 

2.2.  IEEE-15288.1:  2015, 

Standard  for  Application  of  Systems  Engineering  on  Defense  Programs 

IEEE  15288.1  is  an  addendum  to  ISO-15288  for  application  of  systems  engineering  on 
defense  programs  that  was  developed  by  a  joint  services  working  group  under  the  auspices 
of  the  Defense  Standardization  Council.  The  Joint  DOD  Systems  Engineering  working 
group  was  led  by  industry  and  the  SMC  Chief  Systems  Engineer  on  behalf  of  DOD.  This 
systems  engineering  standard  was  developed  in  conjunction  with  IEEE  15288.2,  Technical 
Reviews  and  Audits  on  Defense  Programs,  and  coordinated  with  SAE  International’s  EIA- 
649-1,  Configuration  Management  for  Defense  Programs.  IEEE  15288.1  was  fonnalized  as 
a  standard  by  the  IEEE’s  Computer  Society.  The  balloting  involved  a  broad  range  of 
government  and  industry  members  and  was  nearly  unanimous.  IEEE  15288. 1  has  been 
adopted  by  DOD  for  use  on  contracts. 


1  Notice  -  Adoption,  Tier  2.  http://quicksearch.dla.mil/qsDocDetails.aspx7ident_numbeF213120 
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3.  SMC  Tailoring  of  IEEE  15288.1 

3.1.  General  Risk  Management  Tailoring  Instructions 

The  requirements  in  this  document  shall  be  used  in  conjunction  with  ISO-IEC-IEEE  15288 
and  IEEE  15288.1  on  contract. 

The  requirements  of  this  document  shall  prevail  in  the  event  of  conflict  between  this 
document  and  ISO-IEC-IEEE  15288  or  IEEE  15288.1. 

This  document.  SMC-T-005  (2015),  Risk  Management  Supplement  to  IEEE  15288.1, 
provides  additional  requirements  to  IEEE  15288.1-2015  and  shall  be: 

1 .  Nonnative  (requirements  rather  than  informative  guidance), 

2.  Tailored  appropriately  for  specific  acquisition/contract  considerations,  and 

3.  Implemented  as  part  of  the  performance  of  IEEE  15288. 1  Task  6.3.4,  Risk  Management 
Process. 

3.2.  Specific  Risk  Management  Tailoring  Language 

3.2.1  Risk  Management  Program 


The  contractor  shall  establish  and  implement  a  risk  management  program  that  includes  and 
integrates  the  required  systems  engineering  considerations  specified  in  this  document. 

3.2.2  Required  Products 


a)  Risk  Management  Plan 

b)  Risk  List 

3.2.3  Required  Product  Attributes 


a.  The  Risk  Management  Plan: 

(1)  Specifies  a  process  that  plans  and  documents  the  risk  management 
process,  identifies  and  adjudicates  candidate  risks,  analyzes  approved 
risks,  develops  and  implements  risk  handling  plans  for  all  medium 
and  high  risks  (and  selected  low  risks),  monitors  progress  associated 
with  the  implemented  risk  handling  plans  and  feeds  this  information 
back  to  prior  process  steps,  and  documents  risk  infonnation. 

(2)  Includes  a  risk  management  planning  process  step  that  incorporates  items 
necessary  to  develop,  implement,  and  document  the  risk  management 
program  via  a  Risk  Management  Plan  (RMP)  or  equivalent.  Relevant  items 
may  include  a  description  of  the  risk  management  process  steps  (with  inputs, 


2 


methodologies  or  approaches,  and  outputs  per  step),  candidate  risk 
categories,  ground  rules  and  assumptions,  roles  and  responsibilities  for 
implementing  risk  management,  risk  board(s)  and  membership(s)  as 
appropriate,  metrics  for  monitoring  and  evaluating  risk  management  results, 
provisions  for  risk  management  training,  a  description  of  risk  management 
software  used  and/or  templates  for  risk  reports  and  reviews,  and  references. 


(3)  Includes  a  methodology  for  risk  identification  that  encompasses  both  top- 
level  approaches  such  as  products  (e.g.,  Work  Breakdown  Structure  (WBS), 
processes,  requirements/critical  parameters,  risk  categories)  and  lower-level 
approaches  (e.g.,  affinity;  brainstonning;  checklists;  critical/near-critical 
path;  diagramming  methods;  expert  opinion;  failure  and  reliability 
information;  lessons  learned  from  analogous  programs;  scenario  analysis; 
strengths,  weakness,  opportunities,  threats;  trigger  questions).  See  the  Air 
Force  Space  and  Missile  Systems  Center  Risk  Management  Process  Guide, 
Section  3.2,  5  September  2014  (or  later  version)2  for  additional  information. 
While  ad  hoc  risk  identification  may  use  one  or  more  lower-level 
approaches,  comprehensive  risk  identification  should  use  one  or  more  top- 
level  approaches  coupled  with  one  or  more  lower-level  approaches. 

(4)  Includes  an  established  process  for  continued  identification  of  risks 
throughout  the  program  life  cycle. 

(5)  Includes  risks  associated  with  contractually  identified  variations, 
uncertainties,  and  evolutions  in  system  environments. 

(6)  Analyzes  risks  in  tenns  of  the  likelihood  (probability)  of  occurrence  and  the 
resulting  consequence  (impact)  with  regards  to  cost  (including  life-cycle 
costs),  schedule,  and  technical.  If  qualitative  methodologies  are  used  (e.g., 
risk  scales),  the  likelihood  and  consequence  values  are  estimated  and 
converted  to  risk  levels  (low,  medium,  and  high)  using  the  maximum  of  the 
resulting  likelihood  value(s)  and  the  maximum  of  the  three  consequence 
values  (cost,  schedule,  and  technical)  with  a  risk  mapping  matrix  (e.g., 

AFP  AM  63-128,  20 143,  Figure  12.2).  (Note:  Mathematical  operations 
performed  on  likelihood  and  consequence  values  may  yield  erroneous 
results.)  The  qualitative  risk  analysis  includes  cost,  schedule,  and  technical 
(including  but  not  limited  to  design,  integration,  manufacturing,  support, 
technology,  and  threat)  uncertainties  and  sensitivity  to  program,  product,  and 
process  assumptions.  The  qualitative  risk  analysis  also  includes  a 
methodology  for  prioritizing  risks  that  have  identical  likelihood  and 
consequence  values. 


2  https://acc.dau.mil/CommunityBrowser.aspx?id=715033&lang=en-US 

3  http://www.e-publishing.af.mil/  [search  for  “AFPAM63-128”] 
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(7)  Cost,  performance,  and  schedule  risks  are  analyzed  using  appropriate 
quantitative  methods  (e.g.,  Monte  Carlo  simulation),  and  include 
uncertainties  and  sensitivity  to  program,  product,  and  process  assumptions. 

(8)  Includes  the  activities  and  criteria  for  identifying,  analyzing,  validating,  and 
transitioning  critical  technologies  from  technology  development  and 
demonstration  programs,  including  commercially  developed  technologies. 

(9)  Includes  technology  readiness  level  (TRL)  in  perfonnance,  affordability,  and 
life-cycle  processes  in  the  criteria.  (Note:  TRL  and  other  readiness  level 
scores  are  not  risk  because  they  are  unrelated  to  the  consequence  dimension. 
They  are,  however,  indicators  of  portions  of  the  probability  dimension  of 
risk.) 

(10)  Includes  a  structured  process  for  evaluating  risk  handling  options  and 
developing  a  risk  handling  strategy  (option  plus  implementation  approach). 

At  a  minimum,  the  assumption  (acceptance),  avoidance,  mitigation  (control)  , 
and  transfer  options  should  be  examined,  the  “best”  option  selected,  and  a 
suitable  implementation  approach  developed  for  that  option  (or  hybrid  of 
multiple  options). 

(11)  Includes  an  approach  for  developing  risk  handling  plans  for  all  medium  and 
high  risks  and  selected  low  risks.  Resources  necessary  to  implement  each 
activity  contained  in  the  risk  handling  plan  should  be  identified  and  specified 
whether/not  the  resources  are  part  of  the  baseline  program.  Risk  handling 
activities  (or  at  a  minimum  a  subset  of  the  handling  activities)  should  be 
included  in  the  program’s  Integrated  Master  Schedule  (IMS).  A  risk 
waterfall/burndown  (graphical)  chart  (including  a  listing  of  handling 
activities)  should  be  developed  for  each  implemented  risk  handling  plan  that 
includes  actual  vs.  planned  progress  associated  with  both  risk  level  and 
schedule  for  the  implemented  risk  handling  plan  and  its  activities.  Low  risks 
not  requiring  risk  handling  plans  are  documented  in  a  program  watch  list  and 
periodically  re-evaluated  to  ensure  that  suitable  progress  is  being  made  to 
either  close  the  risk  or  reduce  it  to  an  acceptable  level. 

(12)  Includes  secondary  risk  handling  strategies  for  moderate  and  high  risks  as 
appropriate. 

(13)  Includes  a  risk  waterfall/burndown  chart  methodology  for  periodically 
monitoring  (e.g.,  monthly,  and  at  other  times  when  needed)  actual  vs.  planned 
progress  for  implemented  risk  handling  plans  and  associated  activities  in  terms 
of  risk  likelihood  and  consequence  scores  (and  risk  level),  schedule  (IMS)  and 
appropriate  metrics  and  technical  perfonnance  measures  (TPMs).  This 
information  is  fed  back  to  update  the:  1)  risk  handling  plans,  2)  risk  analysis 
results,  3)  risk  identification  information,  and  4)  risk  management  planning  as 
needed. 
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b.  The  Risk  List: 


(1)  Includes  suitable  documentation  for  all  low,  medium,  and  high  risks,  and 
all  risk  identification,  risk  analysis,  risk  handling,  and  risk  monitoring 
infonnation. 

(2)  Includes  a  separate  list  of  all  watch  list  items.  The  resulting  risk  lists  are 
maintained  in  a  suitable  database  that  will  pennit  interrogation  of  and 
updates  to  infonnation  over  the  life  of  the  program. 


4.  Applicable  Documents 

The  following  documents  fonn  a  part  of  this  document  to  the  extent  specified  herein.  Unless 
otherwise  specified  the  issues  of  these  documents  are  those  cited  in  the  solicitation  or  contract. 

•  ISO-IEC-IEEE- 15288:  2015,  Systems  and  Software  Engineering  —  System  life  cycle 
processes. 

•  IEEE-15288. 1 :  2015,  Standard  for  Application  of  Systems  Engineering  on  Defense 
Programs. 
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